10 Nutanix VMware Best Practices

As a leading hyperconverged infrastructure (HCI) solution, VMware vSphere integrates tightly with the Nutanix software stack to provide a simple, scalable, and cost-effective HCI solution. This paper provides guidance on best practices for deploying and configuring a VMware vSphere environment on top of a Nutanix cluster.

1. Use the Nutanix Acropolis Block Services (ABS) for vSAN

The Acropolis Block Services (ABS) is a high-performance, distributed storage solution that provides deduplication, compression, and other data services at the block level. This means that it’s optimized for storing virtual machine disk images and other types of data that are typically written in large, contiguous blocks.

vSAN is a popular storage solution for VMware environments, but it doesn’t include these same data services. As a result, using ABS in conjunction with vSAN can provide a number of benefits, including improved performance, reduced storage requirements, and more efficient use of network bandwidth.

Nutanix recommends using ABS for all new deployments, and migrating existing deployments to ABS as soon as possible.

2. Enable Deduplication and Compression on your vSAN Datastore

When you enable deduplication and compression, you are essentially increasing the amount of data that can be stored on your vSAN datastore. This is because deduplication and compression reduce the size of your data, which means more data can fit into the same amount of space.

Additionally, deduplication and compression can also help improve the performance of your vSAN datastore. This is because when you have less data to store, there is less data that needs to be read and written, which can help improve the speed of your vSAN datastore.

Overall, enabling deduplication and compression on your vSAN datastore is a best practice that can help improve the performance and capacity of your vSAN datastore.

3. Create a separate VMkernel port group for iSCSI traffic

When you create a VMkernel port group for iSCSI traffic, it’s important to separate that traffic from other types of traffic on your network. This separation ensures that your iSCSI traffic has the dedicated bandwidth it needs to function properly.

Additionally, separating iSCSI traffic from other types of traffic can help improve security. By keeping iSCSI traffic isolated, you can reduce the risk of an attacker being able to access your storage array.

Finally, separating iSCSI traffic can also help improve performance. By keeping iSCSI traffic on its own dedicated network, you can avoid potential bottlenecks that could occur if iSCSI traffic was sharing a network with other types of traffic.

4. Configure NFS datastores to use multiple NICs

When configuring an NFS datastore, you have the option of using a single NIC or multiple NICs. Using multiple NICs provides increased performance and redundancy. If one NIC goes down, the other NIC can take over and keep the datastore online.

Configuring multiple NICs for an NFS datastore is a simple process. Just select the “Use Multiple NICs” option when creating the datastore. Then, select the NICs you want to use. That’s it!

By following this best practice, you can ensure that your NFS datastores are always available and running at peak performance.

5. Disable IPv6 in ESXi hosts

IPv6 is the next-generation protocol that will eventually replace IPv4. However, it’s not yet widely adopted, and most networks still use IPv4. As a result, there’s no need to have both protocols enabled in your environment.

Not only does disabling IPv6 simplify your network configuration, but it also reduces the potential for security vulnerabilities. That’s because IPv6 is a newer protocol and hasn’t been as thoroughly tested as IPv4.

To disable IPv6 in ESXi hosts, simply edit the host’s network settings and uncheck the “Enable IPv6” box.

6. Set up a dedicated management network

The management network is used for all communication between the controller VM and the other VMs in the cluster. This includes things like heartbeats, replication, and updates.

If you don’t have a dedicated management network, these communications will compete with other traffic on your network, which can lead to performance issues.

Additionally, having a dedicated management network makes it easier to troubleshoot problems because you can isolate the management traffic from other types of traffic.

Finally, setting up a dedicated management network is a best practice because it increases security. By isolating the management traffic, you make it more difficult for attackers to snoop on the traffic or inject malicious code into the cluster.

7. Disable unused features and services

When you enable a feature or service in VMware, it’s automatically enabled on all of your hosts. This can lead to security vulnerabilities if the feature or service is not properly configured. Additionally, enabling unnecessary features and services can impact performance and stability.

To avoid these problems, it’s important to only enable the features and services that you need. When in doubt, err on the side of disabling features and services. You can always enable them later if you find that you need them.

8. Do not enable SSH or ESXi Shell unless required

If SSH or ESXi Shell is enabled, it provides an attacker with an easy way to gain access to the underlying host operating system. By disabling these services, you make it much more difficult for an attacker to gain a foothold on your system.

Of course, there are times when you may need to enable these services, such as when you’re troubleshooting an issue. In those cases, it’s important to disable them again when you’re finished.

9. Disable TSM-SSH service if you are using Acropolis File Services (AFS)

If you leave the TSM-SSH service enabled on your cluster, and someone were to gain access to your AFS file system, they would also be able to access the TSM-SSH service and potentially other systems on your network. By disabling the TSM-SSH service, you can help limit the potential attack surface of your cluster.

10. Disable VAAI primitives that are not supported by Nutanix AHV

VAAI is a set of hardware acceleration APIs that allow certain storage operations to be offloaded from the VMware vSphere host to the storage array. This can improve performance and reduce resource utilization on the host.

However, not all VAAI primitives are supported by Nutanix AHV, and enabling them can actually lead to decreased performance and stability issues. Therefore, it’s important to disable any VAAI primitives that are not supported by Nutanix AHV before using Nutanix with VMware.

The following VAAI primitives are not supported by Nutanix AHV and should be disabled:

– ATS (Atomic Test & Set)
– Clone Blocks
– Extended Stats
– Hardware Assisted Locking
– Thin Provisioning Stun